Red Hat Bugzilla – Bug 1287745
RFE: Add more fields to use composing audit rules to the exclude filter
Last modified: 2016-06-02 15:43:34 EDT
Description of problem:
The exclude filter was created a long time ago to filter out SE Linux AVC's to meet the Common Criteria profile for CAPP. Currently the only field that can be used for filtering is the msgtype field. There are times when an admin may want to exclude events coming from user space or syscall events using uid, auid, session id, or even selinux types.
The lowest common denominator is the credentials that come from netlink during user space originating events. It might be possible to combine the filters for user and exclude which would give a little more flexibility in writing rules for the exclude filter. The only issue is the semantics are different between them. The user filter passes selected events where the exclude deletes selected events.
Closing this as we are tracking upstream RFEs on GitHub now, see link on comment #1.